rpms/pki-core
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import pki-core-10.10.5-3.module+el8.4.0+11039+635979e4

Browse Source
This commit is contained in:
CentOS Sources 2021-06-03 03:55:03 -04:00 committed by Andrew Lukoshko
parent 000d4583c5
commit 7b23e1ce93
4 changed files with 328 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
SOURCES/0001-Fix-permission-for-existing-installation-logs.patch Normal file
View File

@ -0,0 +1,31 @@
From 82eaf721ea35d7e6ad5bcdb4c1a5f5862aeed59c Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Mon, 17 May 2021 17:39:50 -0500
Subject: [PATCH] Fix permission for existing installation logs
The spec file has been updated to remove world access
from existing installation logs in /var/log/pki.
Resolves: CVE-2021-3551
---
pki.spec | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/pki.spec b/pki.spec
index a9ea345d8f..64bfd4fe7d 100644
--- a/pki.spec
+++ b/pki.spec
@@ -991,6 +991,10 @@ fi
## from EITHER 'sysVinit' OR previous 'systemd' processes to the new
## PKI deployment process
+# CVE-2021-3551
+# Remove world access from existing installation logs
+find /var/log/pki -maxdepth 1 -type f -exec chmod o-rwx {} \;
+
# Reload systemd daemons on upgrade only
if [ "$1" == "2" ]
then
--
2.30.2

49
SOURCES/0001-Fix-permission-for-new-installation-logs.patch Normal file
View File

@ -0,0 +1,49 @@
From 7da63502137eb8c111b8ae5b5426aec8f7ebdf6b Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Mon, 17 May 2021 15:39:44 -0500
Subject: [PATCH] Fix permission for new installation logs
The enable_pki_logger() has been updated to disable
world access for new installation logs to be created
in /var/log/pki.
Resolves: CVE-2021-3551
---
.../python/pki/server/deployment/pkilogging.py | 12 ++++++++++--
1 file changed, 10 insertions(+), 2 deletions(-)
diff --git a/base/server/python/pki/server/deployment/pkilogging.py b/base/server/python/pki/server/deployment/pkilogging.py
index 089a292559..0926173700 100644
--- a/base/server/python/pki/server/deployment/pkilogging.py
+++ b/base/server/python/pki/server/deployment/pkilogging.py
@@ -21,8 +21,12 @@
# System Imports
from __future__ import absolute_import
import logging
+import os
+import pathlib
import pprint
+import pki
+
sensitive_parameters = []
# Initialize 'pretty print' for objects
@@ -51,8 +55,12 @@ def enable_pki_logger(filename, name):
console_format = logging.Formatter('%(levelname)s: %(message)s')
console.setFormatter(console_format)
- # Configure file handler
- log_file = logging.FileHandler(filename, 'w')
+ # Create an empty file with the proper permission
+ pathlib.Path(filename).touch()
+ os.chmod(filename, pki.server.DEFAULT_FILE_MODE)
+
+ # Configure file handler with append mode to preserve the permission
+ log_file = logging.FileHandler(filename)
file_format = logging.Formatter('%(asctime)s %(levelname)s: %(message)s',
'%Y-%m-%d %H:%M:%S')
log_file.setFormatter(file_format)
--
2.30.2

236
SOURCES/0001-Use-password-file-when-creating-admin-user.patch Normal file
View File

@ -0,0 +1,236 @@
From 5764a80e5edd7fa38323146261c6b4e498d282dd Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Mon, 17 May 2021 18:17:26 -0500
Subject: [PATCH] Use password file when creating admin user
The pki-server <subsystem>-user-add has been updated to
provide a --password-file option. The deployment tool
has been modified to use this option when creating the
admin user to avoid the password from getting logged in
the debug mode.
Resolves: CVE-2021-3551
---
base/server/python/pki/server/cli/user.py | 9 ++-
.../python/pki/server/deployment/__init__.py | 5 +-
base/server/python/pki/server/subsystem.py | 74 +++++++++++--------
.../server/cli/SubsystemUserAddCLI.java | 11 +++
4 files changed, 66 insertions(+), 33 deletions(-)
diff --git a/base/server/python/pki/server/cli/user.py b/base/server/python/pki/server/cli/user.py
index c00a1acb50..c5c8d52956 100644
--- a/base/server/python/pki/server/cli/user.py
+++ b/base/server/python/pki/server/cli/user.py
@@ -47,6 +47,7 @@ class UserAddCLI(pki.cli.CLI):
print(' --full-name <full name> Full name')
print(' --email <email> Email')
print(' --password <password> Password')
+ print(' --password-file <path> Password file')
print(' --phone <phone> Phone')
print(' --type <type> Type')
print(' --state <state> State')
@@ -59,7 +60,8 @@ class UserAddCLI(pki.cli.CLI):
def execute(self, argv):
try:
opts, args = getopt.gnu_getopt(argv, 'i:v', [
- 'instance=', 'full-name=', 'email=', 'password=',
+ 'instance=', 'full-name=', 'email=',
+ 'password=', 'password-file=',
'phone=', 'type=', 'state=', 'tps-profiles=',
'verbose', 'debug', 'help'])
@@ -73,6 +75,7 @@ class UserAddCLI(pki.cli.CLI):
full_name = None
email = None
password = None
+ password_file = None
phone = None
user_type = None
state = None
@@ -91,6 +94,9 @@ class UserAddCLI(pki.cli.CLI):
elif o == '--password':
password = a
+ elif o == '--password-file':
+ password_file = a
+
elif o == '--phone':
phone = a
@@ -149,6 +155,7 @@ class UserAddCLI(pki.cli.CLI):
full_name=full_name,
email=email,
password=password,
+ password_file=password_file,
phone=phone,
user_type=user_type,
tps_profiles=tps_profiles,
diff --git a/base/server/python/pki/server/deployment/__init__.py b/base/server/python/pki/server/deployment/__init__.py
index 347ab1acdd..6d5f083b47 100644
--- a/base/server/python/pki/server/deployment/__init__.py
+++ b/base/server/python/pki/server/deployment/__init__.py
@@ -373,6 +373,8 @@ class PKIDeployer:
response = client.setupAdmin(request)
+ # Run the command as current user such that
+ # it can read the temporary password file.
subsystem.add_user(
uid,
full_name=full_name,
@@ -380,7 +382,8 @@ class PKIDeployer:
password=password,
user_type='adminType',
state='1',
- tps_profiles=tps_profiles)
+ tps_profiles=tps_profiles,
+ as_current_user=True)
admin_groups = subsystem.config['preop.admin.group']
groups = [x.strip() for x in admin_groups.split(',')]
diff --git a/base/server/python/pki/server/subsystem.py b/base/server/python/pki/server/subsystem.py
index a3ed0c7f3a..41d8d67c2e 100644
--- a/base/server/python/pki/server/subsystem.py
+++ b/base/server/python/pki/server/subsystem.py
@@ -1335,54 +1335,66 @@ class PKISubsystem(object):
full_name=None,
email=None,
password=None,
+ password_file=None,
phone=None,
user_type=None,
state=None,
tps_profiles=None,
as_current_user=False):
- cmd = [self.name + '-user-add']
+ tmpdir = tempfile.mkdtemp()
- if full_name:
- cmd.append('--full-name')
- cmd.append(full_name)
+ try:
+ if password and not password_file:
+ password_file = os.path.join(tmpdir, 'password.txt')
+ with open(password_file, 'w') as f:
+ f.write(password)
- if email:
- cmd.append('--email')
- cmd.append(email)
+ cmd = [self.name + '-user-add']
- if password:
- cmd.append('--password')
- cmd.append(password)
+ if full_name:
+ cmd.append('--full-name')
+ cmd.append(full_name)
- if phone:
- cmd.append('--phone')
- cmd.append(phone)
+ if email:
+ cmd.append('--email')
+ cmd.append(email)
- if user_type:
- cmd.append('--type')
- cmd.append(user_type)
+ if password_file:
+ cmd.append('--password-file')
+ cmd.append(password_file)
- if state:
- cmd.append('--state')
- cmd.append(state)
+ if phone:
+ cmd.append('--phone')
+ cmd.append(phone)
- if tps_profiles:
- cmd.append('--tps-profiles')
- cmd.append(','.join(tps_profiles))
+ if user_type:
+ cmd.append('--type')
+ cmd.append(user_type)
- if logger.isEnabledFor(logging.DEBUG):
- cmd.append('--debug')
+ if state:
+ cmd.append('--state')
+ cmd.append(state)
- elif logger.isEnabledFor(logging.INFO):
- cmd.append('--verbose')
+ if tps_profiles:
+ cmd.append('--tps-profiles')
+ cmd.append(','.join(tps_profiles))
- cmd.append(user_id)
+ if logger.isEnabledFor(logging.DEBUG):
+ cmd.append('--debug')
- self.run(
- cmd,
- as_current_user=as_current_user,
- capture_output=True)
+ elif logger.isEnabledFor(logging.INFO):
+ cmd.append('--verbose')
+
+ cmd.append(user_id)
+
+ self.run(
+ cmd,
+ as_current_user=as_current_user,
+ capture_output=True)
+
+ finally:
+ shutil.rmtree(tmpdir)
def modify_user(self, user_id, add_see_also=None, del_see_also=None,
as_current_user=False):
diff --git a/base/server/src/org/dogtagpki/server/cli/SubsystemUserAddCLI.java b/base/server/src/org/dogtagpki/server/cli/SubsystemUserAddCLI.java
index 5a385c359f..04d68de758 100644
--- a/base/server/src/org/dogtagpki/server/cli/SubsystemUserAddCLI.java
+++ b/base/server/src/org/dogtagpki/server/cli/SubsystemUserAddCLI.java
@@ -6,6 +6,8 @@
package org.dogtagpki.server.cli;
import java.io.File;
+import java.nio.file.Files;
+import java.nio.file.Paths;
import java.util.Arrays;
import java.util.List;
@@ -60,6 +62,10 @@ public class SubsystemUserAddCLI extends CommandCLI {
option.setArgName("password");
options.addOption(option);
+ option = new Option(null, "password-file", true, "Password file");
+ option.setArgName("path");
+ options.addOption(option);
+
option = new Option(null, "phone", true, "Phone");
option.setArgName("phone");
options.addOption(option);
@@ -95,11 +101,16 @@ public class SubsystemUserAddCLI extends CommandCLI {
String email = cmd.getOptionValue("email");
String password = cmd.getOptionValue("password");
+ String passwordFile = cmd.getOptionValue("password-file");
String phone = cmd.getOptionValue("phone");
String type = cmd.getOptionValue("type");
String state = cmd.getOptionValue("state");
String tpsProfiles = cmd.getOptionValue("tps-profiles");
+ if (passwordFile != null) {
+ password = new String(Files.readAllBytes(Paths.get(passwordFile)), "UTF-8").trim();
+ }
+
String catalinaBase = System.getProperty("catalina.base");
TomcatJSS tomcatjss = TomcatJSS.getInstance();
--
2.30.2

14
SPECS/pki-core.spec
View File

@ -13,7 +13,7 @@ License: GPLv2 and LGPLv2
# For development (i.e. unsupported) releases, use x.y.z-0.n.<phase>.
# For official (i.e. supported) releases, use x.y.z-r where r >=1.
Version: 10.10.5
Release: 2%{?_timestamp}%{?_commit_id}%{?dist}
Release: 3%{?_timestamp}%{?_commit_id}%{?dist}
#global _phase -beta1
# To create a tarball from a version tag:
@ -37,6 +37,9 @@ Source: https://github.com/dogtagpki/pki/archive/v%{version}%{?_phase}/pki-%{ver
# [Errno 111] Connection refused -- Some packages may not be found!
Patch1: 0001-Removed-dependency-on-pytest-runner.patch
Patch2: 0001-Fix-renewal-profile-approval-process.patch
Patch3: 0001-Use-password-file-when-creating-admin-user.patch
Patch4: 0001-Fix-permission-for-new-installation-logs.patch
Patch5: 0001-Fix-permission-for-existing-installation-logs.patch
# md2man isn't available on i686. Additionally, we aren't generally multi-lib
# compatible (https://fedoraproject.org/wiki/Packaging:Java)
@ -1021,6 +1024,10 @@ fi
## from EITHER 'sysVinit' OR previous 'systemd' processes to the new
## PKI deployment process
# CVE-2021-3551
# Remove world access from existing installation logs
find /var/log/pki -maxdepth 1 -type f -exec chmod o-rwx {} \;
# Reload systemd daemons on upgrade only
if [ "$1" == "2" ]
then
@ -1395,8 +1402,11 @@ fi
################################################################################
%changelog
* Wed May 19 2021 Red Hat PKI Team <rhcs-maint@redhat.com> 10.10.5-3
- Bug 1960146 - CVE-2021-3551 Dogtag installer "pkispawn" logs admin credentials into a world-readable log file
* Tue Mar 23 2021 Red Hat PKI Team <rhcs-maint@redhat.com> 10.10.5-2
- Bug 1914396 - CVE-2021-20179 pki-core:10.6/pki-core: Unprivileged users can renew any certificate
- Bug 1914396 - CVE-2021-20179 Unprivileged users can renew any certificate
* Tue Feb 23 2021 Red Hat PKI Team <rhcs-maint@redhat.com> 10.10.5-1
- Rebase to PKI 10.10.5